CN111581646A - Data processing method, device, storage medium and processor - Google Patents
Data processing method, device, storage medium and processor Download PDFInfo
- Publication number
- CN111581646A CN111581646A CN202010382663.XA CN202010382663A CN111581646A CN 111581646 A CN111581646 A CN 111581646A CN 202010382663 A CN202010382663 A CN 202010382663A CN 111581646 A CN111581646 A CN 111581646A
- Authority
- CN
- China
- Prior art keywords
- metric
- measurement
- metric object
- target operation
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 17
- 238000005259 measurement Methods 0.000 claims abstract description 169
- 230000003068 static effect Effects 0.000 claims abstract description 63
- 238000000034 method Methods 0.000 claims abstract description 47
- 238000012545 processing Methods 0.000 claims abstract description 13
- 230000008569 process Effects 0.000 claims description 30
- 230000007246 mechanism Effects 0.000 description 11
- 230000006870 function Effects 0.000 description 10
- 230000007547 defect Effects 0.000 description 7
- 230000000295 complement effect Effects 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000000691 measurement method Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a data processing method, a data processing device, a storage medium and a processor. Wherein, the method comprises the following steps: determining a first metric object and a second metric object of a target operation, wherein the first metric object and the second metric object are associated; performing static measurement on the first measurement object to obtain a first measurement result, and performing dynamic measurement on the second measurement object to obtain a second measurement result; the target operation is performed based on the first metric result and the second metric result. The invention solves the technical problem that the data in operation cannot be comprehensively measured.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to a data processing method, apparatus, storage medium, and processor.
Background
Currently, metrics on data include static metrics and dynamic metrics. However, the static measurement and the dynamic measurement have limitations, and cannot achieve comprehensive measurement on data, for example, the static measurement cannot measure a related system environment, which may cause a login procedure to be legal, but the login environment is destroyed to be unreliable, and a user may steal a user name and a password when logging in; in addition, static metrics cannot be checked during execution of the executable code. The dynamic measurement is timing measurement, real-time measurement cannot be performed, and control interception cannot be performed, so that the technical problem that data in operation cannot be comprehensively measured exists.
In view of the above-mentioned problem that the prior art cannot comprehensively measure data in operation, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a data processing method, a data processing device, a storage medium and a processor, which are used for at least solving the technical problem that data in operation cannot be comprehensively measured.
According to an aspect of an embodiment of the present invention, there is provided a data processing method. The method can comprise the following steps: determining a first metric object and a second metric object of a target operation, wherein the first metric object and the second metric object are associated; performing static measurement on the first measurement object to obtain a first measurement result, and performing dynamic measurement on the second measurement object to obtain a second measurement result; the target operation is performed based on the first metric result and the second metric result.
Optionally, determining the first metric object and the second metric object of the target operation comprises: determining the measurement object as a first measurement object when the type of the measurement object in the target operation is a first type, wherein the first type comprises at least one of the following types: executable code, script files, dynamic link libraries and kernel modules; in the case that the type of the metric object in the target operation is a second type, determining the metric object as a second metric object, wherein the second type includes at least one of: kernel data structure, kernel jump table, kernel execution code segment.
Optionally, determining the first metric object and the second metric object of the target operation comprises: when a metrology object in a target operation executes, the metrology object is determined to be a first metrology object and a system environment associated with the metrology object is determined to be a second metrology object.
Optionally, when the metric object in the target operation executes, determining the metric object as a first metric object includes: when the executable code in the target operation executes, the target program and the dynamically linked library of the target operation are determined to be the first metric object.
Optionally, determining the system environment associated with the metric object as a second metric object comprises: determining a system call environment associated with a target program of a target operation, wherein the system call environment comprises at least one of: calling an environment of a first system for opening a target file, and calling an environment of a second system for reading input operation; the system call environment is determined to be a second metric object.
Optionally, determining a second metric object of the target operation comprises: and when the executable code in the target operation is in the running process, determining the executable code as a second metric object, wherein the executable code is the code of the target remote service.
Optionally, performing dynamic measurement on at least one of the following second measurement objects to obtain a second measurement result: the system comprises a process code segment, a kernel code segment, a system call table, an interrupt descriptor table, a network address family or a protocol family, a file system and a drive code segment.
Optionally, performing static measurement on the first measurement object to obtain a first measurement result, including: and performing static measurement on the first measurement object based on the second measurement result to obtain a first measurement result.
Optionally, performing static measurement on the first metrology object based on the second metrology result to obtain a first metrology result, including: and verifying the legality of loading the intercepted program on at least one of the program file, the dynamic library file and the keyboard drive based on the second measurement result, and/or verifying the legality of accessing the intercepted file on the configuration file based on the second measurement result to obtain the first measurement result.
According to another aspect of the embodiment of the invention, a data processing device is also provided. The apparatus may include: the device comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining a first metric object and a second metric object of a target operation, and the first metric object and the second metric object are associated; the measurement unit is used for carrying out static measurement on the first measurement object to obtain a first measurement result and carrying out dynamic measurement on the second measurement object to obtain a second measurement result; an execution unit to execute the target operation based on the first metric result and the second metric result.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium. The storage medium includes a stored program, wherein the apparatus in which the storage medium is located is controlled to execute the data processing method of the embodiment of the present invention when the program is executed by the processor.
According to another aspect of the embodiments of the present invention, there is also provided a processor. The processor is used for running a program, wherein the program executes the data processing method of the embodiment of the invention when running.
The data processing method comprises the steps of determining a first measurement object and a second measurement object of target operation, wherein the first measurement object and the second measurement object are associated; performing static measurement on the first measurement object to obtain a first measurement result, and performing dynamic measurement on the second measurement object to obtain a second measurement result; the target operation is performed based on the first metric result and the second metric result. That is to say, the application combines the static measurement and the dynamic measurement to complement respective defects, realizes a credible cooperation mechanism, avoids the problem that the data in the operation cannot be measured comprehensively due to the single use of one measurement, solves the technical problem that the data in the operation cannot be measured comprehensively, and achieves the technical effect of measuring the data in the operation comprehensively.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow chart of a method of data processing according to an embodiment of the invention;
FIG. 2 is a schematic diagram of a trusted system mechanism, according to an embodiment of the present invention; and
fig. 3 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a data processing method, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than that herein.
Fig. 1 is a flow chart of a data processing method according to an embodiment of the present invention. As shown in fig. 1, the data processing method may include the steps of:
step S102, a first measurement object and a second measurement object of the target operation are determined, wherein the first measurement object and the second measurement object are associated.
In the technical solution provided by step S102 of the present invention, the target operation is an operation that needs to be verified, for example, a user login operation. A first metric object and a second metric object of the target operation are determined. The first metric object is an object that needs to be statically measured, and may include a binary executable program (for example, an ELF-format program of a linux system), a script file, a dynamic link library (for example, a pam library, etc.), a kernel module, and the like; the second object is an object that needs to be dynamically measured, and may include a kernel data structure, a kernel jump table, a kernel execution code segment, and the like, where the kernel data structure, that is, a kernel key data structure, may further include a network address family or a protocol family, a file system key structure, and the like, where the network address family or the protocol family may be related to a network protocol related to remote security (Secure Shell, abbreviated as SSH) login; the kernel jump Table, that is, the kernel key jump Table, may include an Interrupt Descriptor Table (IDT), a system call Table (syscall), and the like, where the system call Table may be related to Open a program file by an Open system call and Read a system call to Read a user name/password; the kernel execution code segment, i.e., the kernel critical execution code segment, may include a process code segment, a driver code segment, a kernel code segment, and the like, wherein the process code segment may be related to a Login (Login) process code segment.
The first metric object and the second metric object of this embodiment have an association relationship, and the association relationship may be that when the first metric object is statically measured and cannot achieve comprehensive measurement, the second metric object may be dynamically measured to achieve the purpose of metric complementation, for example, if the first metric object is executable code during execution, the second metric object is a system environment associated with the first metric object; for another example, the SSH service may be a first metric object when the SSH service is started and a second metric object during operation of the SSH service.
Step S104, the first measurement object is subjected to static measurement to obtain a first measurement result, and the second measurement object is subjected to dynamic measurement to obtain a second measurement result.
In the technical solution provided in step S104 of the present invention, after the first metric object and the second metric object of the target operation are determined, the first metric object is statically measured to obtain a first metric result, and the second metric object is dynamically measured to obtain a second metric result.
In this embodiment, the first metric object is statically measured to obtain the first metric result, that is, a static metric function is used for the first metric object, and the static metric function is used for preventing unauthorized code execution and is the most important function for the runtime credibility of the system. The technical scheme adopting the static measurement can follow the whole scheme of a trusted software base, and can adopt measurement, judgment, a control mechanism and the like to complete the static measurement function.
In this embodiment, the second metric object is dynamically measured to obtain a second metric result, that is, a dynamic metric function is used for the second metric object, the dynamic metric function is to select a suitable metric opportunity for different metric objects, and a reasonable metric method is adopted to measure the operating condition of the metric object in the system, which is a key for monitoring the operating state of the system and analyzing the credibility of the system.
The embodiment organically combines the static measurement and the dynamic measurement, complements the respective defects, can perform the dynamic measurement on the data which cannot be subjected to the static measurement, can perform the static measurement on the data which cannot be subjected to the dynamic measurement, and can perform the static measurement, thereby ensuring the comprehensiveness of the data measurement and improving the safety of the data.
Step S106, executing the target operation based on the first measurement result and the second measurement result.
In the technical solution provided in step S106 of the present invention, after the first metrology object is statically measured to obtain the first metrology result and the second metrology object is dynamically measured to obtain the second metrology result, the target operation may be executed based on the first metrology result and the second metrology result.
In this embodiment, the embodiment may determine whether the target operation is legal or not through the first metric result and the second metric result, and may perform the target operation, for example, perform a login operation, if the target operation is legal.
Through the steps S102 to S106, a first metric object and a second metric object of a target operation are determined, wherein the first metric object and the second metric object are associated; performing static measurement on the first measurement object to obtain a first measurement result, and performing dynamic measurement on the second measurement object to obtain a second measurement result; the target operation is performed based on the first metric result and the second metric result. That is to say, the embodiment combines the static measurement and the dynamic measurement to complement the respective defects, thereby realizing a credible cooperation mechanism, avoiding that the data in the operation cannot be measured comprehensively due to the single use of one measurement, solving the technical problem that the data in the operation cannot be measured comprehensively, and achieving the technical effect of measuring the data in the operation comprehensively.
The above-described method of this embodiment is further described below.
As an alternative implementation, step S102, determining the first metric object and the second metric object of the target operation, includes: determining the measurement object as a first measurement object when the type of the measurement object in the target operation is a first type, wherein the first type comprises at least one of the following types: executable code, script files, dynamic link libraries and kernel modules; in the case that the type of the metric object in the target operation is a second type, determining the metric object as a second metric object, wherein the second type includes at least one of: kernel data structure, kernel jump table, kernel execution code segment.
In this embodiment, when the first metric object and the second metric object of the target operation are implemented, it may be determined whether the type of the metric object involved in the target operation is a first type, where the first type is a type preset for the first metric object, for example, executable code, a script file, a dynamic link library, and a kernel module. If the type of the metric object in the target operation is determined to be the first type, the metric object may be determined to be the first metric object.
Optionally, the embodiment may further determine whether the type of the metric object in the target operation is a second type, where the second type is a type preset for the second metric object, and may be a kernel data structure (e.g., a network address family/protocol family, a file system key structure, etc.), a kernel jump table (e.g., an idt interrupt descriptor table, a syscall system call table, etc.), a kernel execution code segment (e.g., a process code segment, a driver code segment, a kernel code segment, etc.), and the like. If the type of the metric object in the target operation is determined to be the second type, the metric object may be determined to be the second metric object.
As an alternative implementation, step S102, determining the first metric object and the second metric object of the target operation, includes: when a metrology object in a target operation executes, the metrology object is determined to be a first metrology object and a system environment associated with the metrology object is determined to be a second metrology object.
In this embodiment, when the first metric object and the second metric object of the target operation are implemented, when the metric object in the target operation is executed, the metric object in the target operation is determined as the first metric object, that is, the static metric only checks whether the first metric object is legal when executed, but cannot measure the system environment related to the first metric object, and the system environment associated with the first metric object is determined as the second metric object, which can be measured dynamically.
As an optional implementation, when the metric object in the target operation executes, determining the metric object as the first metric object includes: when the executable code in the target operation is executed, the executable code is determined as a first metric object, which may be a first metric object that determines a target program and a dynamic link library of the target operation as needing to be statically measured.
In this embodiment, the metric object in the target operation may be executable code, the static metric may only check if the executable code is legitimate when it is executing, and the embodiment may determine the executable code as the first metric object.
Optionally, when the target operation is a user login operation, starting a target program, that is, a login (login) program, and the static measurement can only measure whether the login program and the related dynamic link library are legal, the login program and the related dynamic link library can be determined as the first metric object.
As an alternative embodiment, determining the system environment associated with the metrology object as the second metrology object comprises: determining a system call context associated with the executable code may be determining a system call context associated with a target program of a target operation, wherein the system call context includes at least one of: calling an environment of a first system for opening a target file, and calling an environment of a second system for reading input operation; the system call environment is determined to be a second metric object.
In this embodiment, the static measurement only checks whether the executable code is legal when executed, but cannot measure the system environment related to the executable code, which may result in that although the program is legal, the environment has been destroyed and thus is not trusted, and information may be stolen, for example, the target operation is a user login operation, which may result in that although the program recording is legal, the login environment has been destroyed and thus is not trusted, and a user name and a password may be stolen when the user logs in, and this embodiment may determine the system call environment associated with the executable code, which may be implemented by a system call table, and further determine the system call environment as a second metric object that needs to be dynamically measured, thereby avoiding the problem that the environment is destroyed and thus is not trusted and information is stolen.
In this embodiment, the static measurement can only measure whether the target program and the related dynamic link library are legal, but cannot measure the system call environment related to the target program. The embodiment may determine a system call context associated with the target program, and may determine the system call context as the second metric object.
In this embodiment, the system call environment may be an environment that calls the first system to open a target file, for example, the first system is an open system, and the target file is a passswd file, that is, the open system is called to open the passswd file; the system call environment of this embodiment may also be an environment that calls a second system to read an input operation, for example, the second system is a reading (read) system, the input operation is a keyboard input, etc., that is, calls the reading (read) system to read the keyboard input, etc.
As an optional implementation, determining the second metric object of the target operation includes: the determining of the metric object as the second metric object may be determining the executable code as the second metric object when the executable code in the target operation is in the running process, wherein the executable code is the code of the target remote service.
In this embodiment, when the metric object in the target operation is in the running process, the static metric cannot check the metric object, so that whether the metric object is tampered in the running process or not can be verified through the static metric, and the metric object can be determined as a second metric object which needs to be dynamically measured.
In this embodiment, when the executable code in the target operation is in the running process, the static metric cannot check the executable code in the running process, so that whether the executable code is tampered in the running process or not can be verified through the static metric, and the executable code in the running process can be determined as the second metric object which needs to be dynamically measured.
In this embodiment, when the executable code in the target operation is in the running process, the executable code is determined as the second metric object, the executable code may be the code of the target remote service, the target remote service may be an SSH service, the static metric may verify whether the target remote service is legal or not at the time of starting, but the SSH service cannot verify whether the target remote service is tampered with the static metric in the running process, so that the target remote service is determined as the second metric object which needs to be dynamically measured.
As an optional implementation, the dynamic measurement is performed on at least one of the following second measurement objects, and a second measurement result is obtained: the system comprises a process code segment, a kernel code segment, a system call table, an interrupt descriptor table, a network address family or a protocol family, a file system and a drive code segment.
In this embodiment, when implementing dynamic measurement on the second metric object, the dynamic measurement may be performed on a process code segment determined by a Login process code segment, or may be performed on a kernel code segment, or may be performed on a system call table determined by opening a program file by an Open system call and reading a user name/password by a Read system call, or may be performed on an interrupt descriptor, or may be performed on a network address family/protocol family determined by a remote SSH Login related network protocol, or may be performed on a file system, or may be performed on a driver code segment determined by a mouse/keyboard driver code segment and a network card driver code segment, thereby obtaining a second metric result.
As an optional implementation, performing static measurement on the first measurement object to obtain a first measurement result includes: and performing static measurement on the first measurement object based on the second measurement result to obtain a first measurement result. And verifying the legality of loading the intercepted program on at least one of the program file, the dynamic library file and the keyboard drive based on the second measurement result, and/or verifying the legality of accessing the intercepted file on the configuration file based on the second measurement result to obtain the first measurement result.
In this embodiment, when the static measurement is performed on the first metric object to obtain the first metric result, the static measurement may be performed on the first metric object based on the second metric result, and the validity of intercepting program loading may be verified when at least one of loading a program file, loading a dynamic library file (for example, a pam library, etc.), and loading a keyboard driver is performed after the Login program is executed.
After performing dynamic measurement on the second metric object and obtaining a second metric result, the embodiment may further perform static measurement on a read configuration file (for example, passsd file verifies username and password), which may be to verify validity of intercepting file access, where reading the configuration file may be a step performed after reading the username/password.
The embodiment combines the static measurement and the dynamic measurement to complement respective defects, can avoid the condition that the static measurement is only legal when the executable code is executed, but can not measure the current system environment related to the static measurement, can also avoid the condition that the static measurement can not be checked in the running process of the executable code, and the dynamic measurement can not be measured in time when the system environment is damaged and can not be controlled and intercepted, thereby realizing a credible cooperation mechanism, avoiding the condition that the data in the operation can not be measured comprehensively due to the single use of one measurement, solving the technical problem that the data in the operation can not be measured comprehensively, and achieving the technical effect of measuring the data in the operation comprehensively.
Example 2
The data processing method according to the embodiment of the present invention will be further illustrated with reference to the preferred embodiments.
In this embodiment, the static metric function, which is used to prevent unauthorized code execution, is the most important function for the system runtime trust. The technical scheme of static measurement follows the whole scheme of a trusted software base, and the static measurement function can be completed by adopting a measurement, judgment and control mechanism; the objects of the static metrics of this embodiment may include binary executables (programs in the linux system ELF format), script files, dynamically linked libraries, kernel modules, and the like.
In this embodiment, the dynamic measurement function selects an appropriate measurement opportunity for different measurement objects, and measures the operating conditions of the measurement objects in the system by using a reasonable measurement method. The dynamic measurement is the key for monitoring the running state of the system and analyzing the credibility of the system. The dynamic metric objects of this embodiment may be divided into three broad categories, which may include kernel critical data structures (e.g., network address family/protocol family, file system critical structures, etc.), kernel critical jump tables (e.g., idt interrupt descriptor table, syscall system call table, etc.), kernel critical execution code segments (e.g., process code segments, driver code segments, kernel code segments, etc.).
When the static measurement is used, the static measurement only checks whether the executable code is legal or not when the executable code is executed, but cannot measure the current system environment related to the executable code, for example, when a user logs in, a logic program is started, but the static measurement only can measure whether the logic program and a related dynamic link library are legal or not, but cannot measure the system environment related to the logic, wherein the system environment related to the logic can be an open system call for opening a password file, a read system call for reading keyboard input and the like, although the login program is legal, the login environment is damaged and cannot be trusted, and a user name and a password can be stolen when the user logs in; in addition, the static metric cannot be checked during the running process of the executable code, for example, the static metric can verify whether the SSH service is legal or not at the time of starting, but whether the SSH service is tampered with the static metric during the running process cannot be verified.
When the dynamic measurement is used, the dynamic measurement is timing measurement, and real-time measurement cannot be achieved, namely the dynamic measurement cannot be measured in time when the system environment is damaged; in addition, dynamic metrics cannot control interception.
This embodiment combines static and dynamic metrology to complement the respective defects. The trusted system mechanism of this embodiment is described below as an example of a user login operation.
FIG. 2 is a schematic diagram of a trusted system mechanism according to an embodiment of the present invention. As shown in fig. 2, this trusted system mechanism involves the following steps:
in step S201, the Login program is executed.
In step S202, a program file is loaded.
Step S203, loading the dynamic library file.
The dynamic library file of this embodiment may be my pam library, etc.
Step S204, the keyboard driver is loaded.
Step S205, a user name/password is read.
Step S206, reading the configuration file.
The read configuration file of this embodiment may be a read such as a password authentication username password.
Step S207, Login process code segment.
In step S208, a process code segment is determined.
In step S209, a kernel code segment is determined.
In step S210, the Open system calls to Open a program file.
Step S211, Read system calls to Read user name/password.
In step S212, a system call table is determined.
In step S213, an interrupt descriptor is determined.
Step S214, the remote SSH logs in the related network protocol.
Step S215, a network address family/protocol family is determined.
In step S216, the file system is determined.
Step S217, a mouse/keyboard driving code segment and a network card driving code segment.
In step S218, a driver code segment is determined.
In step S219, dynamic measurement is performed.
This embodiment dynamically measures at least one of: the system comprises a process code segment, a kernel code segment, a system call table, an interrupt descriptor table, a network address family or a protocol family, a file system and a drive code segment.
Step S220, verifying the legality of the loading of the interception program.
The embodiment verifies and intercepts the legality of program loading for at least one of the program file, the dynamic library file and the keyboard drive so as to realize static measurement
And step S221, verifying the validity of the intercepted file access.
The embodiment verifies the validity of intercepting file access to the configuration file to achieve static metrics.
The embodiment combines the static measurement and the dynamic measurement to complement respective defects, can avoid the condition that the static measurement is only used for checking whether the executable code is legal when the executable code is executed and cannot measure the related current system environment, also can avoid the condition that the static measurement cannot be checked in the running process of the executable code, and the dynamic measurement cannot be measured in time when the system environment is damaged and cannot be controlled and intercepted, thereby realizing a credible cooperation mechanism, avoiding the condition that the data in the operation cannot be measured comprehensively due to the single use of one measurement, solving the technical problem that the data in the operation cannot be measured comprehensively, and further achieving the technical effect of measuring the data in the operation comprehensively.
Example 3
The embodiment of the invention also provides a data processing device. It should be noted that the data processing apparatus of this embodiment may be used to execute the data processing method described in embodiment 1 of the present invention.
Fig. 3 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention. As shown in fig. 3, the data processing apparatus 30 may include: a determination unit 31, a measurement unit 32 and an execution unit 33.
A determining unit 31, configured to determine a first metric object and a second metric object of a target operation, where the first metric object and the second metric object are associated.
The measurement unit 32 is configured to perform static measurement on the first measurement object to obtain a first measurement result, and perform dynamic measurement on the second measurement object to obtain a second measurement result.
An execution unit 33 for executing the target operation based on the first metric result and the second metric result.
The data processing device of the embodiment combines the static measurement and the dynamic measurement to complement respective defects, thereby realizing a credible cooperation mechanism, avoiding the problem that the data in operation cannot be measured comprehensively due to the single use of one measurement, solving the technical problem that the data in operation cannot be measured comprehensively, and achieving the technical effect of measuring the data in operation comprehensively.
Example 4
According to an embodiment of the present invention, there is also provided a storage medium including a stored program, wherein the program is executed by a processor to perform the data processing method described in embodiment 1.
Example 5
According to an embodiment of the present invention, there is also provided a processor, configured to execute a program, where the program executes the data processing method described in embodiment 1.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A data processing method, comprising:
determining a first metric object and a second metric object of a target operation, wherein the first metric object and the second metric object are associated;
performing static measurement on the first measurement object to obtain a first measurement result, and performing dynamic measurement on the second measurement object to obtain a second measurement result;
performing the target operation based on the first metric result and the second metric result.
2. The method of claim 1, wherein determining the first metric object and the second metric object for the target operation comprises:
determining the metric object as the first metric object if the type of the metric object in the target operation is a first type, wherein the first type comprises at least one of: executable code, script files, dynamic link libraries and kernel modules;
determining the metric object as the second metric object if the type of the metric object in the target operation is a second type, wherein the second type comprises at least one of: kernel data structure, kernel jump table, kernel execution code segment.
3. The method of claim 1, wherein determining the first metric object and the second metric object for the target operation comprises:
when a metric object in the target operation executes, the metric object is determined to be the first metric object and a system environment associated with the metric object is determined to be the second metric object.
4. The method of claim 3, wherein determining the metric object as the first metric object when the metric object in the target operation executes comprises:
when the executable code in the target operation executes, a target program and a dynamically linked library of the target operation are determined as the first metric object.
5. The method of claim 4, wherein determining the system environment associated with the metric object as the second metric object comprises:
determining a system call environment associated with a target program of the target operation, wherein the system call environment comprises at least one of: calling an environment of a first system for opening a target file, and calling an environment of a second system for reading input operation;
determining the system call environment as the second metric object.
6. The method of claim 3, wherein determining a second metric object for a target operation comprises:
when the executable code in the target operation is in the running process, determining the executable code as the second metric object, wherein the executable code is the code of the target remote service.
7. The method according to any one of claims 1 to 6, wherein the second metric object is dynamically measured to obtain the second metric result, wherein the second metric result is at least one of: the system comprises a process code segment, a kernel code segment, a system call table, an interrupt descriptor table, a network address family or a protocol family, a file system and a drive code segment.
8. A data processing apparatus, comprising:
the device comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining a first metric object and a second metric object of a target operation, and the first metric object and the second metric object are associated;
the measurement unit is used for carrying out static measurement on the first measurement object to obtain a first measurement result and carrying out dynamic measurement on the second measurement object to obtain a second measurement result;
an execution unit to execute the target operation based on the first metric result and the second metric result.
9. A storage medium comprising a stored program, wherein the program, when executed by a processor, controls an apparatus in which the storage medium is located to perform the method of any one of claims 1 to 7.
10. A processor, characterized in that the processor is configured to run a program, wherein the program when running performs the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010382663.XA CN111581646B (en) | 2020-05-08 | 2020-05-08 | Data processing method, device, storage medium and processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010382663.XA CN111581646B (en) | 2020-05-08 | 2020-05-08 | Data processing method, device, storage medium and processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111581646A true CN111581646A (en) | 2020-08-25 |
| CN111581646B CN111581646B (en) | 2023-11-24 |
Family
ID=72113288
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010382663.XA Active CN111581646B (en) | 2020-05-08 | 2020-05-08 | Data processing method, device, storage medium and processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111581646B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| CN104751048A (en) * | 2015-01-29 | 2015-07-01 | 中国科学院信息工程研究所 | Dynamic link library integrity measuring method under perlink mechanism |
| KR20170057005A (en) * | 2015-11-16 | 2017-05-24 | 김종호 | Method for rating static or dynamic posture and application executable device performing the same |
| CN108399338A (en) * | 2018-02-06 | 2018-08-14 | 南京航空航天大学 | Platform integrity status measure information method based on process behavior |
| CN110321713A (en) * | 2019-07-08 | 2019-10-11 | 北京可信华泰信息技术有限公司 | The dynamic measurement method and device of credible calculating platform based on binary system structure |
| CN110334515A (en) * | 2019-07-05 | 2019-10-15 | 北京可信华泰信息技术有限公司 | A kind of method and device generating measurement report based on credible calculating platform |
| CN110334512A (en) * | 2019-07-08 | 2019-10-15 | 北京可信华泰信息技术有限公司 | The staticametric method and apparatus of credible calculating platform based on binary system structure |
| CN110348224A (en) * | 2019-07-08 | 2019-10-18 | 沈昌祥 | Dynamic measurement method based on dual Architecture credible calculating platform |
| US20200074122A1 (en) * | 2018-08-29 | 2020-03-05 | Alibaba Group Holding Limited | Cryptographic operation processing method, apparatus, and system, and method for building measurement for trust chain |
-
2020
- 2020-05-08 CN CN202010382663.XA patent/CN111581646B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104517057A (en) * | 2014-12-22 | 2015-04-15 | 中国人民解放军信息工程大学 | Software hybrid measure method based on trusted computing |
| CN104751048A (en) * | 2015-01-29 | 2015-07-01 | 中国科学院信息工程研究所 | Dynamic link library integrity measuring method under perlink mechanism |
| KR20170057005A (en) * | 2015-11-16 | 2017-05-24 | 김종호 | Method for rating static or dynamic posture and application executable device performing the same |
| CN108399338A (en) * | 2018-02-06 | 2018-08-14 | 南京航空航天大学 | Platform integrity status measure information method based on process behavior |
| US20200074122A1 (en) * | 2018-08-29 | 2020-03-05 | Alibaba Group Holding Limited | Cryptographic operation processing method, apparatus, and system, and method for building measurement for trust chain |
| CN110334515A (en) * | 2019-07-05 | 2019-10-15 | 北京可信华泰信息技术有限公司 | A kind of method and device generating measurement report based on credible calculating platform |
| CN110321713A (en) * | 2019-07-08 | 2019-10-11 | 北京可信华泰信息技术有限公司 | The dynamic measurement method and device of credible calculating platform based on binary system structure |
| CN110334512A (en) * | 2019-07-08 | 2019-10-15 | 北京可信华泰信息技术有限公司 | The staticametric method and apparatus of credible calculating platform based on binary system structure |
| CN110348224A (en) * | 2019-07-08 | 2019-10-18 | 沈昌祥 | Dynamic measurement method based on dual Architecture credible calculating platform |
Non-Patent Citations (4)
| Title |
|---|
| JUN LIAO; CHAOHUI JIANG; CHUN GUO: "Data privacy protection based on sensitive attributes dynamic update", 《2016 4TH INTERNATIONAL CONFERENCE ON CLOUD COMPUTING AND INTELLIGENCE SYSTEMS》, pages 377 - 381 * |
| 刘孜文;冯登国;: "基于可信计算的动态完整性度量架构", no. 04, pages 117 - 121 * |
| 杨蓓、吴振强、符湘萍: "基于可信计算的动态完整性度量模型", 《计算机工程》, pages 78 - 81 * |
| 田健生、詹静: "基于TPCM的主动主态度量机制的研究与实现", 《信息网络安全》, pages 22 - 27 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111581646B (en) | 2023-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US9081967B2 (en) | System and method for protecting computers from software vulnerabilities | |
| KR101106851B1 (en) | Method and system for a platform-based trust verifying service for multi-party verification | |
| US8850212B2 (en) | Extending an integrity measurement | |
| US9270467B1 (en) | Systems and methods for trust propagation of signed files across devices | |
| JP5736305B2 (en) | Systems and programs for establishing and monitoring software evaluation | |
| EP2663944B1 (en) | Malware detection | |
| US8869284B1 (en) | Systems and methods for evaluating application trustworthiness | |
| US8086835B2 (en) | Rootkit detection | |
| US7660412B1 (en) | Generation of debug information for debugging a network security appliance | |
| CN111638936A (en) | Virtual machine static measurement method and device based on built-in security architecture | |
| KR101588542B1 (en) | Malware risk scanner | |
| CN111967016B (en) | Dynamic monitoring method of baseboard management controller and baseboard management controller | |
| US9569617B1 (en) | Systems and methods for preventing false positive malware identification | |
| CN111581646B (en) | Data processing method, device, storage medium and processor | |
| CN110795735A (en) | Rootkit universality detection method oriented to heterogeneous BIOS environment | |
| Jiang et al. | A security sandbox approach of android based on hook mechanism | |
| KR20160146146A (en) | Method of integrity verification and apparatus thereof | |
| CN110677483A (en) | Information processing system and trusted security management system | |
| EP2835757B1 (en) | System and method protecting computers from software vulnerabilities | |
| US11580255B2 (en) | Security tool for n-tier platforms | |
| CN111382433B (en) | Module loading method, device, equipment and storage medium | |
| Rizvi et al. | A Hybrid Framework for Detecting Repackaged Applications on the Android Market | |
| CN114707142A (en) | Application program installation device and method based on sandbox installation | |
| CN116467756A (en) | Application program verification method, packaging method, processor and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |